11-04-2001 02:10 AM - edited 03-08-2019 09:03 PM
We are having NIMDA Problems liek crazy. We did the class map like instructed to block out the traffic, but it is still getting to our servers. We are running a cisco 2610 router with two Serails and one ethernet. Both serails have a T1 each coming in on them, and the Ethernet sends those T1s out to our ethernet switch. Config in question is below:
The class map we created:
class-map match-any http-hacks
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
match protocol http url "*.ida*"
match protocol http url "*readme.eml*"
The Policy map we created:
policy-map drop-hack
class http-hacks
police 1000000 31250 31250 conform-action drop exceed-action drop violate-a
ction drop
This is our Ethernet that goes out to our Switch. Shoudl it have the service policy on it as well? Not clear on this:
interface Ethernet0/0
The first T1 and I have the service policy activated on it. The IP access group is for IPs that we block out from our network:
interface Serial0/0
ip access-group 6 in
service-policy input drop-hack
The second T1 and I have the service policy activated on it. The IP access group is for IPs that we block out from our network:
interface Serial0/1
ip access-group 6 in
service-policy input drop-hack
Thank You
Alvin Slocombe
11-12-2001 06:58 AM
This URL is useful: http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/snam_wp.htm
11-13-2001 07:30 AM
Is there any way to aggregate NIMDA into one alarm? Getting too many alarm emails. Only idea I had is to reduce severity on 5 of the six alarms I get, but I don't like that.
re:
NIDS operators will not see an alarm that identifies Nimda by name. They will see a series of these alarms as Nimda tries different exploits to compromise the target. These alarms will identify the source address of hosts that have been compromised and should be isolated from the network, cleaned, and patched.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide